17 Nov Password manager and polices are not enough
How security is shifting away from password reliance and login architecture
Depending on who you ask, a few strong passwords is plenty to deal with modern threats. However, for others, it’s a completely failed system. Login codes have been the first vanguard of defense against hackers and malicious parties for a long time. But as technology has advanced, so too have the methods for busting through digital security.
Today, threat-actors deploy a wide variety of assets to crack logins and break into networks. For example, bot networks typically attempt to brute force pass phrases, usually with compromised systems, or, by using programs which draw from thousands of “simple” passwords. Other factors brutalizing the problems is the fact logins are reused or scarcely changed, meaning a single hacked password can create a domino effect of intrusion problems. That’s nothing to say of password sharing or circulation, which exacerbates the problem.
So, what was the solution? Managers and recommendations – especially by the NIST (National Institute of Standards and Technology) – try to address this by enforcing password policy. Complex logins or different logins for various websites, programs, and apps was (and is) the general strategy. It doesn’t go very far, however, as password complexity remains simple as does the saturation of reused passwords.
The primary issue surrounding it all is how passwords are utilized. It’s not to suggest you should go without them, but how we handle, use, and store our logins is wildly outdated.
But aren’t there viable options for password management?
Because of the issues we’ve thus far discussed, trying to develop a streamlined response to password-related digital threats have cropped up over the years. However, these current options have become less effective as time has gone on. The strategies involved have gotten advanced, by “security culture” as it’s referred to in the IT realm hasn’t caught up. Complex logins, NIST’s guidelines, and password manages are standard in combatting password fraud and breaches.
NIST’s Guidelines
The NIST has been long providing resources and guidelines for fending off cybersecurity breaches. One of its measures includes information for handling password life cycles, such as their lifespan on a company network.
They have key areas addressing the core philosophy of good password hygiene. Some of the fundamentals to the NIST password guidelines are:
- Block logins found in compromised lists and block logins that are overly simple
- Require longer passwords
- Prevent and reduce repetitive use passwords within a network
There have been changes since the initial guidelines. It was once recommended to routinely change passwords after a designated timeframe (like every few months). And, it was also recommended to include variations in the login like upper case letters and special symbols. Those have been removed and are no longer considered as effective.
They’ve been an essential framework for not only password policy, by cybersecurity and IT architecture too.
However, that leads into the next problem.
Reliance on Password Mangers
Utilizing repetitive phrases and logins has long been the bane of basic cybersecurity standards. Despite insistence not to do it, it’s still a common issue. Why? Simply put, remembering complicated logins, much less multiple ones, is difficult for most people.
For that, another solution came into the mix: a password manager. They’ve emerged over the past years and operate with the goal of automatically creating and storing complex logins. However, since they’re stored in a browser extension, there’s no need to remember the actual randomly generated password.
This was in place of needing to reset a business login every 90 days. But today, not even password managers are reliable. Consider, for example, that you’re relying on something to remember a login for you.
But, another reality is that password managers can be compromised too. They’re a third-party plugin or app which stores your generated login, and that could be for multiple logins. What happens if they’re breached or passwords or compromised? It’s happened before. LastPass has suffered multiple breach events, and it’s a common choice for businesses and users. While it operates on a “zero knowledge” basis (admins do not have access to store passwords), other managers may not operate the same way.
Password Policy Rules
Password security lastly comes down to enforcement of actual password use through comprehensive policies. These regulate and educate users on healthy login strategies, such as what we’ve discussed in the article (complex passwords, blacklisting compromised logins). They’re useful when deployed by management and IT administrators, as it gives them a great deal of insight and control over login use. But, there are some hiccups when it comes to policy enforcement.
For one, only handfuls of organizations actually use a password policy system. And, those that do still encounter internal errors, such as password sharing among coworkers. There’s no guideline for this, and the NIST philosophy doesn’t cover management strategies. Rather, it focuses on using authentication tools and resources, like MFA and biometrics.
The need to move forward
It’s clear that cybersecurity strategies taking a heavy focus on logins and passwords are losing time, resources, and money. These days, they don’t hold up as well, and it’s not a wise idea to put all your chips into security logins. That isn’t to suggest they’re not useful, and shouldn’t be used (that’s the worst possible idea). But password focused cybersecurity stratagem is eroding in effectiveness.
What can I do?
Utilizing different tools and resources for data protection will yield more reliable results in terms of protection. Rather than trying to reinvent a failing system, additional safeguards and methods to shield your network is recommended.
Even then, that’s difficult. You can also look into third party IT assistance such as with an MSP. For additional information, you can reach out to Bytagig.
About Bytagig
Bytagig is dedicated to providing reliable, full-scale cyber security and IT support for businesses, entrepreneurs, and startups in a variety of industries. Bytagig works both remotely with on-site support in Portland, San Diego, and Boston. Acting as internal IT staff, Bytagig handles employee desktop setup and support, comprehensive IT systems analysis, IT project management, website design, and more. Bytagig is setting the standard for MSPs by being placed on the Channel Future’s NexGen 101 list.
Sorry, the comment form is closed at this time.